Tag: socio-technical attacks

It’s been a while since I celebrated getting funding from InternetNZ to research the human side of cyber security and how individual personality traits might play a part in common ‘socio-technical attacks’ like phishing, ransomware and online scams.

I’ve digested mounds of academic research spanning fields as diverse as human computer interaction, risk management, health promotion and social psychology. I’ve read books and blogs on social engineering and scammer tactics and have assembled the first draft of a conceptual scale that might help identify ‘high risk’ individuals when it comes to common cybercrime and cyber security attacks.

Taking inspiration from the agile “move fast and break things” mindset, it’s highly likely this will be the first of many iterations of a research questionnaire but I’m keen to get feedback from some willing guinea pig volunteers.

If you have 15 minutes to spare and the enthusiasm to road test an online survey, please do get in touch by email to research@ubisec.nz or message me on LinkedIn and I’ll happily share a URL with you.

The survey looks at basic demographic details, computer use, health and lifestyle factors and how they may shape risk appetite with the ultimate aim being to vulnerability scan layer eight.

“We have perfected the art of finding problems without fixing real world issues,” he told attendees. “We focus too much on complexity, not harm.”

The human side of information security and associated online harms is a major focus for me. Between August 2010 and August 2016, New Zealanders reported almost 28,500 online incidents to NetSafe involving $35m in direct financial losses.

Think of the individual who has remortgaged their house; drained their business of operating capital; traveled to a hotel room thousands of miles away to meet that mysterious investor offering a handsome percentage in return for a small up front payment.

Those experiences at NetSafe left me wanting to find solutions to what are increasingly known as ‘socio technical attacks’. If you haven’t heard that term before I’ll refer to Dr Jean-Louis Huynen: “A socio-technical attack is possible because of the human components in a system.”

Over those six years working at NetSafe, the most common – and most financially and/or emotionally harmful – forms of socio-technical attacks were:

Romance fraud

Investment fraud

Ransomware

Business Email Compromise (BEC)

Whether you classify those as cyber-enabled or pure cyber attacks isn’t the important point here. The key is that in the majority of those cases, the weakest link in the system was often a human being – a human who responded to the charms of a scammer or was curious enough to infect their own system and encrypt essential data.

Humans, it’s fair to say, can be wonderful things but they also come with a range of inherent flaws or vulnerabilities:

Many of us like to help people: that could be holding a door open for someone wearing a hi-vis vest piggybacking into a building or allowing the helpful ‘Microsoft’ technician to have access to your computer to fix the viruses.

Many of us respond to outside forces or biases in the form of authority, curiosity or a general sense of invincibility and click on the malicious attachment or submit our credentials to the phishing site that ‘satisfices’ our need to verify it really is the official bank website.

What cyber brings to the picture is a speed of operation and ability to bridge the distance unimaginable for the criminals operating at the end of the 19th century. Speed and ease of operation and access to a global pool of victims equals profit and has resulted in changing the face of modern crime.

Look at the latest UK crime statistics and you’ll find that ‘cyber crime’ in the form of Computer Misuse and Cyber Enabled Fraud now makes up 53% of reported crime.

There’s no doubt that the technical skills involved in advanced, persistent, technically impressive attacks are to be reviewed with a wry smile and a sense of awe.

But it’s becoming apparent that a failure to implement basic cyber hygiene steps – not sophisticated attackers – is often to blame. And that includes failing to train your staff on how to recognise suspicious activity and how to respond to potential cyber incidents.

“A lot of the attacks that we see on the internet today are not purported by winged ninja cyber-monkeys. Attackers have to obey the laws of physics; they can’t do things that are physically impossible”

The wonderful people at InternetNZ have provided me with funding this year to explore some of the root causes of those 28,500 incidents, to research why so many socio-technical attacks are successful and to examine if there might be a programmatic way to identify individual cyber security risk profiles and deliver adaptive security benefits in future.

It’s only the start of the project, but I’ll be posting updates as I progress in the hope we can continue to explore ways to help more people stay safe and secure online.